Advanced Persistent Threats: The Empire Strikes Back! Nikos Virvilis

Advanced Persistent Threats: The Empire Strikes Back! Nikos Virvilis Senior Informa,on Assurance Scien,st, NCI Agency Prof. Dimitris Gritzalis Director of the Informa,on Security & Cri,cal Infrastructure Protec,on (InfoSec) Laboratory March 2015 Advanced Persistent Threats: The Empire Strikes Back! Nikos Virvilis Senior Informa,on Assurance Scien,st 1st Annual ICT Security World Congress
Athens, March 2015
RELEASABLE TO PUBLIC Disclaimer The views expressed in this presenta,on are those of the presenter and do not reflect the official policy or posi,on of NATO Communica,ons and informa,on Agency, nor does it represent an endorsement of any kind. Agenda •  Major APT incidents –  Did we learn anything from them? •  Why we keep failing: –  Security vendors –  Consultants –  Academia •  Countermeasures? Just Another APT Defini,on “Skilled, resourceful hackers, state employed or working for the higher bidder, whose full .me job is to compromise CIS, in order to exfiltrate informa,on or sabotage them”. State of the (Malware) Art Malware Name Public Disclosure Date1 Objective Stuxnet 2010 Sabotage Duqu 2011 Information Gathering Flame 2012 Information Gathering Red October 2012 Information Gathering MiniDuke 2012 Information Gathering Regin 2014 Information Gathering Equation Group Malware 2015 Information Gathering 1 Older samples have been discovered. In some cases they had been ac,ve for several years • Each one has been called “the world’s most advanced malware” (un,l the next one was detected). Did we learn anything? •  Before Stuxnet, cyber aZacks were not taken seriously: –  Mostly script-­‐kiddies defacing web sites –  “Computers are for playing games” •  Stuxnet proved that cyber aZacks can impact physical world •  The APT malware, made it clear that current security solu,ons are basically useless against sophis,cated aZackers Na,onal Efforts •  China: China’s long term plan is to achieve electronic dominance by 2050 (Andreasson 2011) •  UK: A clear cyber-­‐strategy has been defined, with its main goals to make the UK one of the world’s most secure places to do business (Gov.uk 2014b) •  USA: Since 2009 has created the U.S. Cyber Command, an armed-­‐
forces command, focused on cyberspace opera,ons. U.S. short term plans include to grow the Cyber Command to 6000 people by 2016 (and in 2015 the cyber budget is expected to exceed 5 billion USD) •  Most developed naEons: Large Cyber security teams (hundreds or thousands) Greek Efforts This page has been inten,onally leb blank Part II -­‐ Challenges Challenge 1: Cyber Security is hard to measure •  Hire someone to build a new web site – 
– 
– 
– 
Is the web site up? Does it have all the informa,on you have asked for? Is it designed the way you like? Test it/Benchmark it •  Hire someone to do a web app pentest on your web site •  Did he/she find all the vulnerabili,es? •  Has he/she any idea what he/she is doing? Edge cases •  A high quality report will stand out –  S,ll no guarantee that the Pentester has found all vulnerabili,es •  A terrible report will also stand out Edge cases CriEcal finding: We managed to get the public key of the web server! So what do you do? •  If you feel like the report / outcome, is not up to your expecta,ons, speak up! –  Be careful though, you may lose you job… •  Next ,me hire two companies, to do the same assessment –  Yes I know, you don’t have the budget but… –  There will always be deltas! However big deltas should raise warnings –  Don’t forget skilled individuals / universi,es Challenge 2: Hello Industry (a.k.a. Security Vendor Snake oil) •  Unbreakable (a.k.a. Bulletproof) sobware: vendors and developers alike, have claimed their sobware does not have any vulnerabili,es •  Our system is protected by 1,000,000 bit crypto… Challenge 2: Hello Industry (a.k.a. Security Vendor Snake oil) cont. • We detect APT (Sure… aber the malware samples have been submiZed to Virus Total) • Our AV/IDS/IPS/* detects 100% of all threats –  Fred Cohen has proven mathema,cally that there are infinite ways of wri,ng a (malicious) sobware program and thus, foolproof detec,on is impossible (Cohen 1987) –  You can only make such claims if you are using whitelists! Luke But there are also excep,ons •  “An9virus is dead… as it detects a mere 45 percent of all a?acks”
-­‐ Brian Dye, Symantec's senior vice president for informa,on security (Symantec 2014) •  Is this news to any of the techies? •  What about the management? So do we need Industry? •  Of course we do! –  There are excellent solu,ons –  And yes, they are expensive –  But we need to be honest about what these solu,ons can or can’t do! •  The risk owners need to know the truth about the risks that the organiza,on is facing, in order to make the correct decisions Challenge 3: Academia •  Too focused on theory –  AUEB has introduced penetra,on tes,ng & VA, wireless security and web applica,on security modules, for several years –  Only a few other universi,es have followed •  Quote from a lecturer: “By using endpoint protec9on on all systems, IDS/IPS, Firewalls and a Secure Email Gateway the network is a?ack proof”… Challenge 4: In the hunt for cyber warriors •  One of U.S.’s major challenges is the shortage of cyber security professionals within the United States (LIBICKI et al. 2014) •  That’s weird! –  MSc in Informa,on Security are so popular nowadays –  Even Bachelor degrees! •  Have you visited LinkedIn recently? –  Security Evangelists –  Cyber Gurus –  Ethical Hackers Not the average Security Guy •  They are not looking for just another <put cer9ficate name here> •  Neither someone with an MSc in InfoSec and a couple of security books under his belt •  Not another cyber philosopher Skilled technical people are hard to find! •  Can you find aZacks in a mul, gig network capture file? •  Can you analyze advanced malware (!= sandbox | uploading it to VirusTotal) •  Can you write your own tools? •  5 out of 200? Challenge 5: C-­‐level execu,ves / management •  "There are two kinds of big companies in the United States. There are those who’ve been hacked and those who don’t know they’ve been hacked.” -­‐ James Comey, FBI director •  “Preven.on eventually fails. Some readers ques9oned that conclusion. They thought that it was possible to prevent all intrusion if the right combina9on of defenses, soQware security or network architecture was applied … Those who s9ll believe this philosophy are likely suffering the long-­‐
term (APT) compromise that we read about in the media every week” – R. Bejtlich, CSO @Mandiant Part III -­‐ Countermeasures There are no silver bullets •  But there are some clever tricks that can buy you ,me… –  So you can detect ongoing aZacks –  Block them before the aZackers reach their end goal •  Or call someone who knows how Before you start, make sure that: •  You have already implemented security best prac,ces •  You have highly skilled, mo,vated people •  And you have C-­‐Level Support –  (Adequate) Budget –  Willing to change the way the organiza,on works Enter Decep,on Decep,on •  When an aZacker gains foothold to a network: –  She needs to find where the informa,on that she is interested is located, break into the system and exfiltrate it –  In a medium to large organiza,on there are several hundred systems –  So… change the rules Honeypots •  Honeypots have been proposed for aZack detec,on for decades •  For targeted threat detec,on, there is limited value in having internet facing honeypots (noisy) –  But they are great for aZack detec,on on internal networks –  Any (old) pc will do! –  Ready to use: hZp://bruteforce.gr/
honeydrive Honey files, Honey records • Honey files: “passwords.docx” on your file server –  Enable file system audi,ng first1 J • Honey records on DB: –  Add a table (or just new records) with fake but realis,c data –  Enable DB audi,ng –  If you see something like that you have a problem: »  SELECT * FROM FakeUserData; 1 hZp://www.windowsecurity.com/ar,cles-­‐tutorials/windows_server_2008_security/securing-­‐audi,ng-­‐high-­‐risk-­‐files-­‐windows-­‐servers.html Honey Users / Hashes •  Honey users: Create a few user accounts as baits –  Make sure they look interes,ng and real (Can be domain, web app or standalone system accounts). –  Poten,ally combine this with honey files (i.e. a file with fake username:password) •  Honey Hashes are also cool! 1 –  Perfect for detec,ng pass-­‐the-­‐hash aZacks! •  Monitor for authen,ca,on aZempts from these accounts 2, if you see any, you have a major problem! •  For more info, see (Virvilis, 2014a) 1 hZps://isc.sans.edu/diary/Detec,ng+Mimikatz+Use+On+Your+Network/19311 2 hZp://blogs.technet.com/b/jhoward/archive/2010/06/16/ge{ng-­‐event-­‐log-­‐contents-­‐by-­‐email-­‐on-­‐an-­‐event-­‐log-­‐trigger.aspx Network sta,s,cs (i.e. Ne|low) •  Create baselines of your network / systems and look for anomalies! •  Protocol Distribu,on! Average_DNS_requests = X If Average_DNS_requests > 10 * X: print “DNS Tunnel??” – Monitor for long lived TCP connec,ons – Monitor where (countries) your systems are connec,ng to – Monitor for connec,on between worksta,ons – Check h?p://sourceforge.net/p/sansfor572logstash/wiki/Home/ Basic system audi,ng •  Why has user X logged in 10 different systems today? •  Why was user X logged in at 23:00 last night? •  Why there are 3 failed authen,ca,on aZempts for all the users in your AD? •  Why a user has accessed 50 files on the file server today? •  Why a user has accessed X records on the DB today? Whitelis,ng Executables •  The vast majority of APT aZacks use (mostly) custom malware (i.e. executables) (Virvilis 2013a, Virvilis 2013b) •  Not foolproof (i.e. Shellcode will s,ll execute) –  Same with PowerShell etc. –  S,ll you have significantly raised the bar! • Excellent commercial solu,ons –  Can’t afford them? No problem use the build-­‐in ones! Conclusion •  No easy solu,ons –  We need skilled technical people –  We need to be honest regarding our skills –  C-­‐level execu,ves need to know the truth, they are the risk owners! •  Only if we accept our weaknesses we will be able to build stronger defenses References
1. Cohen F., "Computer viruses: Theory and experiments“, Computers & Security, Vol. 6, No. 1, pp. 22-­‐35, 1987. 2. Denault M., Gritzalis D., Karagiannis D., Spirakis P., "Intrusion detec,on: Evalua,on and performance issues of the SECURENET system", Computers & Security, Vol. 13, No. 6, pp. 495-­‐508, October 1994. 3. Dritsas S., Mallios J., Theoharidou M., Marias G., Gritzalis D., “Threat analysis of the Session Ini,a,on Protocol, regarding spam”, in Proc. of the 3rd IEEE Interna9onal Workshop on Informa9on Assurance, pp. 426-­‐433, IEEE Press, USA, 2007. 4. Gritzalis D., “Insider threat preven,on through Open Source Intelligence based on Online Social Networks”, 13th European Conference on Cyber Warfare and Security (EC-­‐C-­‐WS-­‐2014), Keynote Address, Greece, 2014. 5. Kandias M., Mylonas A., Virvilis N., Theoharidou M., Gritzalis D., “An insider threat predic,on model”, in Proc. of the 7th Interna9onal Conference on Trust, Privacy, and Security in Digital Business (TrustBus-­‐2010), pp. 26-­‐37, Springer (LNCS 6264), Spain, 2010. 6. Kandias M., Virvilis N., Gritzalis D., “The Insider Threat in Cloud Compu,ng”, in Proc. of the 6th Interna9onal Workshop on Cri9cal Infrastructure Security (CRITIS-­‐2011), pp. 93-­‐103, Springer (LNCS 6983), Switzerland, 2011. 7. Kim J., Cybersecurity: Public sector threats and responses, CRC Press, 2011. 8. Mylonas A., Tsalis N., Gritzalis D., “Evalua,ng the manageability of web browsers controls”, in Proc. of the 9th Interna9onal Workshop on Security and Trust Management (STM-­‐2013), pp. 82-­‐98, Springer (LNCS 8203), United Kingdom, 2013. 9. Pipyros K., Mitrou L., Gritzalis D., Apostolopoulos T., "A cyber aZack evalua,on methodology", in Proc. of the 13th European Conference on Cyber Warfare and Security (ECCWS-­‐2014), pp. 264-­‐270, ACPI, Greece, 2014. 10. Reed T., At the Abyss: An insider's history of the Cold War, Presidio Press, 2007. 11. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., "Mobile devices: A phisher's paradise", in Proc. of the 11th Interna9onal Conference on Security & Cryptography (SEC-­‐RYPT-­‐2014), pp. 79-­‐87, ScitePress, Austria, 2014. 12. Virvilis N., Gritzalis D., “Trusted Compu,ng vs. Advanced Persistent Threats: Can a defender win this game?”, in Proc. of 10th IEEE Interna9onal Conference on Autonomic and Trusted Compu9ng (ATC-­‐2013), pp. 396-­‐403, IEEE Press, Italy, 2013. 13. Virvilis N., Gritzalis D., “The Big Four -­‐ What we did wrong in Advanced Persistent Threat detec,on?”, in Proc. of the 8th Interna9onal Conference on Availability, Reliability & Security (ARES-­‐2013), pp. 248-­‐254, IEEE, Germany, 2013. 14. Virvilis N., Dritsas S., Gritzalis D., “Secure Cloud storage: Available infrastructure and architecture review and evalua,on”, Proc. of the 8th Interna9onal Conference on Trust, Privacy & Security in Digital Business (TRUSTBUS-­‐2011), pp. 74-­‐85, Springer (LNCS 6863), France, 2011. 15. Virvilis N., Dritsas S., Gritzalis D., “A cloud provider-­‐agnos,c secure storage protocol”, in Proc. of the 5th Interna9onal Workshop on Cri9cal In-­‐for-­‐ma9on Infrastructure Security (CRITIS-­‐2010), pp. 104-­‐115, Springer (LNCS 6712), Greece, 2010. 16. Virvilis V., Serrano O., "Changing the game: The art of deceiving sophis,cated aZackers", in Proc. of the 6th Interna9onal Conference on Cyber Conflict (CYCON), Estonia, 2014. 17. hZp://www.bloomberg.com/news/ar,cles/2014-­‐12-­‐10/mysterious-­‐08-­‐turkey-­‐pipeline-­‐blast-­‐opened-­‐new-­‐cyberwar 18. hZps://www.gov.uk/government/news/cyber-­‐defence-­‐funding-­‐worth-­‐2-­‐million-­‐available-­‐to-­‐suppliers 19. hZp://www.wsj.com/ar,cles/SB10001424052702303417104579542140235850578 20. hZp://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR430/RAND_RR430.pdf